Workflow: dependabot-go-checker.md
Impact: Agentic Maintenance workflow fails at compile-workflows step — 199/200 compiled, 1 error
First seen: 2026-04-23T11:00Z run §24831492077
Error
✗ dependabot-go-checker.md
dependabot-go-checker.md:1:1: error: invalid workflow: GitHub Actions schema validation failed
- at '/jobs/agent/permissions': 'oneOf' failed, none matched
- at '/jobs/agent/permissions': additional properties 'vulnerability-alerts' not allowed
Root Cause
dependabot-go-checker.md declares vulnerability-alerts: read in its permissions: block. The GitHub Actions JSON schema does not allow vulnerability-alerts as a permissions key in a job's permissions block — it appears the gh-aw compiler previously accepted this but now the schema validation is rejecting it.
Fix Options
- Remove
vulnerability-alerts: read from frontmatter — if the workflow doesn't actually need this permission at the job level, remove it. The permission may be a leftover from a toolset requirement.
- Move to workflow-level permissions — if needed,
vulnerability-alerts may need to be specified at the workflow top-level rather than the job level.
- Update compiler schema — if
vulnerability-alerts is a valid GitHub Actions job-level permission, update the JSON schema used by the compiler.
Frontmatter (current)
permissions:
contents: read
actions: read
issues: read
pull-requests: read
security-events: read
vulnerability-alerts: read # <-- this line causes schema validation failure
Impact
Agentic Maintenance fails on every run until this is resolved. The workflow cannot compile and thus cannot recompile other stale workflows or check for compile errors across the ecosystem.
References:
Generated by Workflow Health Manager - Meta-Orchestrator · ● 2M · ◷
Workflow:
dependabot-go-checker.mdImpact: Agentic Maintenance workflow fails at
compile-workflowsstep — 199/200 compiled, 1 errorFirst seen: 2026-04-23T11:00Z run §24831492077
Error
Root Cause
dependabot-go-checker.mddeclaresvulnerability-alerts: readin itspermissions:block. The GitHub Actions JSON schema does not allowvulnerability-alertsas a permissions key in a job'spermissionsblock — it appears the gh-aw compiler previously accepted this but now the schema validation is rejecting it.Fix Options
vulnerability-alerts: readfrom frontmatter — if the workflow doesn't actually need this permission at the job level, remove it. The permission may be a leftover from a toolset requirement.vulnerability-alertsmay need to be specified at the workflow top-level rather than the job level.vulnerability-alertsis a valid GitHub Actions job-level permission, update the JSON schema used by the compiler.Frontmatter (current)
Impact
Agentic Maintenance fails on every run until this is resolved. The workflow cannot compile and thus cannot recompile other stale workflows or check for compile errors across the ecosystem.
References: